Best practices for users to stay secure while virtualizing

Any company using cloud computing likely has applications and data that are virtualized. Even so, not everyone is well versed in virtualization security and some of the concerns it may bring. Cloud architect Steve Pate wrote on Computerworld that there are issues that organizations need to look out for, including hypervisor vulnerabilities, ineffective workload partitioning and insider threats.

"In any virtualized environment, the administrators who control the infrastructure have a great deal of access," Pate wrote. "Even though most companies vet their employees carefully, insiders can still do a lot of damage. Now, consider a public cloud, where you don't have any control at all over who they hire to tend your data. I certainly don't want to point fingers, but these folks may care less about your company's success than they do about gleaning some lucrative trade secrets."

While this isn't the complete list of vulnerabilities that exist to virtualized environments, it shows that there needs to be policies set by organizations to make sure that their environments and data will be kept as safe as possible, according to Pate. With the hypervisor, he said there must be patches applied to protect against new vulnerabilities and certificates must be in place within the system. He added that virtualziation should be monitored consistently as well.

Regarding the virtualized network, he said administrators must understand the implications of having interactions between virtualized machines and legacy hardware. Companies must be aware of how the virtual machine is secured versus physical hardware, adding that the same security techniques should be applied to both. For example, if a system needs to be regulated according to PCI-DSS, that should apply to both physical and virtual machines. Change and configuration management must also be considered, but it may be difficult to bring a virtualized environment into this system at first.

"Organizations need to evaluate the security issues that result from requested and planned systems changes," Pate said. "This includes request and approval, planning and testing, scheduling and communication, implementation and documenting the process, and following up afterwards."

Before doing anything regarding virtualization security, TechTarget contributor Anil Desai said organizations must assess the risk that is in place. Questions such as "How will information be protected on the guest host?," "Are host and guest operating systems updated automatically?" and "Does the VM have access to the internet?" must be asked as soon as possible so the organization knows what it will be dealing with in a virtualized setting.

"Answering each question can help clue you in to issues that may need to be addressed," he wrote. "For example, non-networked VMs that reside on a test network will likely have different security requirements from those that are running in a production environment."